CVE-2026-41129
Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.
| CWE | CWE-918 |
| Vendor | craftcms |
| Product | cms |
| Published | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / cms
>= 5.0.0-RC1, < 5.9.15 >= 4.0.0-RC1, < 4.17.9